Actually I am trying to write one rule in local.cf spamassassin.
What I need is to block all Viagra emails.
As you know in these emails they write Viagra,VIAGRA,VIAGRA(c) sometimes in the Subject field, sometimes in the Name field, sometime it is the body of the message.
Can you please tell me what will be rule exactly to stop all these emails?
I have two more to add:
body LOCAL_OBFU_VIAGRA /(?:\b[vu]|\B(?:\\\/|\xCE\xBD))[\W_]{0,3}(?:[il1:\|\*\xCC-\xCF\xEC-\xEF\xA6]|\xC4[\xA8-\xB0]|\xC4\xBA|\xC4\xBC|\xC4\xBE|\xC5\x80|\xC5\x82|\xC7[\x8F-\x90]|\xD0[\x86-\x87]|\xD1[\x96-\x97]|\xCE\x8A|\xCE\x90|\xCE\x99|\xCE\xAA|\xCE\xAF|\xCE\xB9|\xCF\x8A)[\W_]{0,3}(?:[a4\*\@\xC0-\xC5\xAA\xE0-\xE5]|\/\\|\xC4[\x80-\x85]|\xC7[\x8D-\x8E]|\xC7[\xBA-\xBB]|\xCE\x86|\xCE\x91|\xCE\x94|\xCE\x9B|\xCE\xAC|\xCE\xB1|\xD0\x90|\xD0\xB0)[\W_]{0,3}(?:[g6]|\xC4[\x9C-\xA3]])[\W_]{0,3}(?:[r\xAE]|\xC5[\x94-\x99]|\xD1\x93)[\W_]{0,3}(?:[a4]\b|(?:[\*\@\xC0-\xC5\xAA\xE0-\xE5]|\/\\|\xC4[\x80-\x85]|\xC7[\x8D-\x8E]|\xC7[\xBA-\xBB]|\xCE\x86|\xCE\x91|\xCE\x94|\xCE\x9B|\xCE\xAC|\xCE\xB1|\xD0\x90|\xD0\xB0)\B)/i
score LOCAL_OBFU_VIAGRA 1.8
describe LOCAL_OBFU_VIAGRA Obfuscated 'VIAGRA' in body
The rule above will block obfuscated "Viagra" in the body of the message. The following rule does the same sort of thing but with special characters spelled out:
describe MANGLED_VIAGRA mangled viagra
body MANGLED_VIAGRA /(?!viagra)v{1,3}(?:[_\W]{0,5}|[viagra])[iÌÍÎÏìíîï\|1l\!](?:[_\W]{0,5}|[viagra])[aÀÁÂÃÄÅàáâãäå4\@](?:[_\W]{0,5}|[viagra])g(?:[_\W]{0,5}|[viagra])r(?:[_\W]{0,5}|[viagra])[aÀÁÂÃÄÅàáâãäå4\@]/i
score MANGLED_VIAGRA 2.5
Well, you can try these kind of simple rules:
header VIAGRA_SUBJECT Subject =~ /viagra/i
header VIAGRA_FROM From =~ /viagra/i
meta VIAGRA_HEADER VIAGRA_FROM && VIAGRA_SUBJECT
score VIAGRA_HEADER 10.0
describe VIAGRA_HEADER Block Mails with Viagra in subject
body VIAGRA_BODY /viagra/i
score VIAGRA_BODY 10.0
describe VIAGRA_BODY Block Mails with Viagra in body
